caspervk/nixos
1
0
Fork 0
Code Actions Activity

Use secrets from nixos-secrets repo

Browse source
This commit is contained in:
Casper V. Kristensen 2024-03-28 16:35:03 +01:00
parent 0c7fd0b807
commit e1cce32613
10 changed files with 95 additions and 46 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

19
README.md
View file

@ -73,9 +73,13 @@ even if we had a scheme to securely transfer them to each system. [Agenix](https
solves this issue by encrypting the secrets using [age](https://github.com/FiloSottile/age), and then decrypting solves this issue by encrypting the secrets using [age](https://github.com/FiloSottile/age), and then decrypting
and symlinking them using the system's SSH host key during system activation. and symlinking them using the system's SSH host key during system activation.
To bootstrap a new system, we must first generate a host key manually using `ssh-keygen -A -f /mnt/nix/persist` All secrets, and other private configuration such as DNS zonefiles, are stored
during installation. Then, on an existing system, add the new host's public key to `secrets.nix` and rekey all in a separate, private [repo](https://git.caspervk.net/caspervk/nixos-secrets).
secrets using `agenix --rekey`. Commit and push the changes and proceed below. To bootstrap a new system, we must first generate a host key manually using
`ssh-keygen -A -f /mnt/nix/persist` during installation. Then, on an existing
system, add the new host's public key to `secrets.nix` in the `nixos-secrets`
repo and rekey all secrets using `agenix --rekey`. Commit and transfer the
repository to the new system.
When managing secrets, the Keepass recovery key is used like so: When managing secrets, the Keepass recovery key is used like so:
```fish ```fish
@ -93,7 +97,7 @@ cd tmp/
nixos-generate-config --root /mnt --show-hardware-config nixos-generate-config --root /mnt --show-hardware-config
vim hosts/omega/hardware.nix vim hosts/omega/hardware.nix
git add . # nix sometimes ignores files outside version control git add . # nix sometimes ignores files outside version control
nixos-install --no-root-passwd --flake .#omega nixos-install --no-root-passwd --flake .#omega --override-input secrets ./../nixos-secrets/
``` ```
### Hardware Configuration ### Hardware Configuration
@ -107,8 +111,8 @@ enough](https://sourcegraph.com/search?q=context%3Aglobal+repo%3A%5Egithub%5C.co
## Useful Commands ## Useful Commands
```fish ```fish
# upgrade system # development
sudo nixos-rebuild switch --flake . sudo nixos-rebuild switch --flake . --override-input secrets ./../nixos-secrets/
# start build environment with user's default shell instead of bash # start build environment with user's default shell instead of bash
nix develop --command $SHELL nix develop --command $SHELL
@ -122,8 +126,7 @@ nix shell --impure --expr 'with builtins.getFlake "nixpkgs"; with legacyPackages
### Debugging ### Debugging
```nix ```nix
# load flake into repl # load flake into repl
nix repl nix repl . --override-input secrets ./../nixos-secrets/
:lf .
# print a configuration option # print a configuration option
:p nixosConfigurations.omega.options.services.openssh.ports.declarationPositions # declaration :p nixosConfigurations.omega.options.services.openssh.ports.declarationPositions # declaration

54
flake.lock
View file

@ -32,11 +32,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1706981411, "lastModified": 1710888565,
"narHash": "sha256-cLbLPTL1CDmETVh4p0nQtvoF+FSEjsnJTFpTxhXywhQ=", "narHash": "sha256-s9Hi4RHhc6yut4EcYD50sZWRDKsugBJHSbON8KFwoTw=",
"owner": "nix-community", "owner": "nix-community",
"repo": "home-manager", "repo": "home-manager",
"rev": "652fda4ca6dafeb090943422c34ae9145787af37", "rev": "f33900124c23c4eca5831b9b5eb32ea5894375ce",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -53,11 +53,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1710820906, "lastModified": 1711625603,
"narHash": "sha256-2bNMraoRB4pdw/HtxgYTFeMhEekBZeQ53/a8xkqpbZc=", "narHash": "sha256-W+9dfqA9bqUIBV5u7jaIARAzMe3kTq/Hp2SpSVXKRQw=",
"owner": "nix-community", "owner": "nix-community",
"repo": "home-manager", "repo": "home-manager",
"rev": "022464438a85450abb23d93b91aa82e0addd71fb", "rev": "c0ef0dab55611c676ad7539bf4e41b3ec6fa87d2",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -89,11 +89,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1710644923, "lastModified": 1711249705,
"narHash": "sha256-0fjbN5GYYDKPyPay0l8gYoH+tFfNqPPwP5sxxBreeA4=", "narHash": "sha256-h/NQECj6mIzF4XR6AQoSpkCnwqAM+ol4+qOdYi2ykmQ=",
"owner": "nix-community", "owner": "nix-community",
"repo": "nix-index-database", "repo": "nix-index-database",
"rev": "e25efda85e39fcdc845e371971ac4384989c4295", "rev": "34519f3bb678a5abbddf7b200ac5347263ee781b",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -104,11 +104,11 @@
}, },
"nixos-hardware": { "nixos-hardware": {
"locked": { "locked": {
"lastModified": 1710783728, "lastModified": 1711352745,
"narHash": "sha256-eIsfu3c9JUBgm3cURSKTXLEI9Dlk1azo+MWKZVqrmkc=", "narHash": "sha256-luvqik+i3HTvCbXQZgB6uggvEcxI9uae0nmrgtXJ17U=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixos-hardware", "repo": "nixos-hardware",
"rev": "1e679b9a9970780cd5d4dfe755a74a8f96d33388", "rev": "9a763a7acc4cfbb8603bb0231fec3eda864f81c0",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -120,11 +120,11 @@
}, },
"nixpkgs": { "nixpkgs": {
"locked": { "locked": {
"lastModified": 1710695816, "lastModified": 1711460390,
"narHash": "sha256-3Eh7fhEID17pv9ZxrPwCLfqXnYP006RKzSs0JptsN84=", "narHash": "sha256-akSgjDZL6pVHEfSE6sz1DNSXuYX6hq+P/1Z5IoYWs7E=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "614b4613980a522ba49f0d194531beddbb7220d3", "rev": "44733514b72e732bd49f5511bd0203dea9b9a434",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -136,11 +136,11 @@
}, },
"nixpkgs-unstable": { "nixpkgs-unstable": {
"locked": { "locked": {
"lastModified": 1710806803, "lastModified": 1711523803,
"narHash": "sha256-qrxvLS888pNJFwJdK+hf1wpRCSQcqA6W5+Ox202NDa0=", "narHash": "sha256-UKcYiHWHQynzj6CN/vTcix4yd1eCu1uFdsuarupdCQQ=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "b06025f1533a1e07b6db3e75151caa155d1c7eb3", "rev": "2726f127c15a4cc9810843b96cad73c7eb39e443",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -159,7 +159,23 @@
"nix-index-database": "nix-index-database", "nix-index-database": "nix-index-database",
"nixos-hardware": "nixos-hardware", "nixos-hardware": "nixos-hardware",
"nixpkgs": "nixpkgs", "nixpkgs": "nixpkgs",
"nixpkgs-unstable": "nixpkgs-unstable" "nixpkgs-unstable": "nixpkgs-unstable",
"secrets": "secrets"
}
},
"secrets": {
"locked": {
"lastModified": 1711637855,
"narHash": "sha256-ZFMl20Qils3CWuAqvDqKjyyMgwz1pDb7PlfgaUAle38=",
"ref": "refs/heads/master",
"rev": "ac8e242cc499ae120136022f30aaf315ef08da93",
"revCount": 4,
"type": "git",
"url": "ssh://git@git.caspervk.net/caspervk/nixos-secrets.git"
},
"original": {
"type": "git",
"url": "ssh://git@git.caspervk.net/caspervk/nixos-secrets.git"
} }
}, },
"systems": { "systems": {

3
flake.nix
View file

@ -2,6 +2,9 @@
description = "NixOS system"; description = "NixOS system";
inputs = { inputs = {
secrets = {
url = "git+ssh://git@git.caspervk.net/caspervk/nixos-secrets.git";
};
nixpkgs = { nixpkgs = {
url = "github:NixOS/nixpkgs/nixos-23.11"; url = "github:NixOS/nixpkgs/nixos-23.11";
}; };

10
hosts/alpha/network.nix
View file

@ -1,4 +1,8 @@
{config, ...}: { {
config,
secrets,
...
}: {
systemd.network = { systemd.network = {
# Main interface # Main interface
networks."10-lan" = { networks."10-lan" = {
@ -80,14 +84,14 @@
}; };
age.secrets.wireguard-preshared-key-file = { age.secrets.wireguard-preshared-key-file = {
file = ../../secrets/wireguard-preshared-key-file.age; file = "${secrets}/secrets/wireguard-preshared-key-file.age";
mode = "640"; mode = "640";
owner = "root"; owner = "root";
group = "systemd-network"; group = "systemd-network";
}; };
age.secrets.wireguard-private-key-file-alpha = { age.secrets.wireguard-private-key-file-alpha = {
file = ../../secrets/wireguard-private-key-file-alpha.age; file = "${secrets}/secrets/wireguard-private-key-file-alpha.age";
mode = "640"; mode = "640";
owner = "root"; owner = "root";
group = "systemd-network"; group = "systemd-network";

10
hosts/omega/borg.nix
View file

@ -1,8 +1,14 @@
{...}: { {secrets, ...}: {
imports = [ imports = [
../../modules/borg.nix ../../modules/borg.nix
]; ];
services.borgbackup.jobs.root.repo = "ssh://u394155-sub1@u394155.your-storagebox.de:23/./root"; services.borgbackup.jobs.root.repo = "ssh://u394155-sub1@u394155.your-storagebox.de:23/./root";
age.secrets.borg-passphrase-file.file = ../../secrets/borg-passphrase-file-omega.age;
age.secrets.borg-passphrase-file = {
file = "${secrets}/secrets/borg-passphrase-file-omega.age";
mode = "400";
owner = "root";
group = "root";
};
} }

10
hosts/omega/network.nix
View file

@ -1,4 +1,8 @@
{config, ...}: { {
config,
secrets,
...
}: {
systemd.network = { systemd.network = {
config = { config = {
routeTables = { routeTables = {
@ -94,14 +98,14 @@
}; };
age.secrets.wireguard-preshared-key-file = { age.secrets.wireguard-preshared-key-file = {
file = ../../secrets/wireguard-preshared-key-file.age; file = "${secrets}/secrets/wireguard-preshared-key-file.age";
mode = "640"; mode = "640";
owner = "root"; owner = "root";
group = "systemd-network"; group = "systemd-network";
}; };
age.secrets.wireguard-private-key-file-omega = { age.secrets.wireguard-private-key-file-omega = {
file = ../../secrets/wireguard-private-key-file-omega.age; file = "${secrets}/secrets/wireguard-private-key-file-omega.age";
mode = "640"; mode = "640";
owner = "root"; owner = "root";
group = "systemd-network"; group = "systemd-network";

9
hosts/zeta/borg.nix
View file

@ -1,8 +1,13 @@
{...}: { {secrets, ...}: {
imports = [ imports = [
../../modules/borg.nix ../../modules/borg.nix
]; ];
services.borgbackup.jobs.root.repo = "ssh://u394155-sub2@u394155.your-storagebox.de:23/./root"; services.borgbackup.jobs.root.repo = "ssh://u394155-sub2@u394155.your-storagebox.de:23/./root";
age.secrets.borg-passphrase-file.file = ../../secrets/borg-passphrase-file-zeta.age; age.secrets.borg-passphrase-file = {
file = "${secrets}/secrets/borg-passphrase-file-zeta.age";
mode = "400";
owner = "root";
group = "root";
};
} }

3
modules/base/users.nix
View file

@ -1,6 +1,7 @@
{ {
config, config,
pkgs, pkgs,
secrets,
... ...
}: { }: {
users = { users = {
@ -27,7 +28,7 @@
}; };
age.secrets.users-hashed-password-file = { age.secrets.users-hashed-password-file = {
file = ../../secrets/users-hashed-password-file.age; file = "${secrets}/secrets/users-hashed-password-file.age";
mode = "400"; mode = "400";
owner = "root"; owner = "root";
group = "root"; group = "root";

7
modules/borg.nix
View file

@ -117,11 +117,4 @@
programs.ssh.knownHosts = { programs.ssh.knownHosts = {
"[u394155.your-storagebox.de]:23".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIICf9svRenC/PLKIL9nk6K/pxQgoiFC41wTNvoIncOxs"; "[u394155.your-storagebox.de]:23".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIICf9svRenC/PLKIL9nk6K/pxQgoiFC41wTNvoIncOxs";
}; };
age.secrets.borg-passphrase-file = {
# file set on each host
mode = "400";
owner = "root";
group = "root";
};
} }

16
modules/server/system.nix
View file

@ -1,4 +1,8 @@
{...}: { {
config,
secrets,
...
}: {
# Automatically `nixos-rebuild switch` daily with the latest configuration # Automatically `nixos-rebuild switch` daily with the latest configuration
# from git. This overwrites any uncommitted changes in ~/nixos/, which is why # from git. This overwrites any uncommitted changes in ~/nixos/, which is why
# it is only enabled on servers. Note that this requires updating flake.lock # it is only enabled on servers. Note that this requires updating flake.lock
@ -10,4 +14,14 @@
enable = true; enable = true;
flake = "git+https://git.caspervk.net/caspervk/nixos.git"; flake = "git+https://git.caspervk.net/caspervk/nixos.git";
}; };
# The `nixos-secrets` flake input requires authentication
systemd.services.nixos-upgrade.environment.GIT_SSH_COMMAND = "ssh -i ${config.age.secrets.autoupgrade-deploy-key.path}";
age.secrets.autoupgrade-deploy-key = {
file = "${secrets}/secrets/autoupgrade-deploy-key.age";
mode = "400";
owner = "root";
group = "root";
};
} }